public void Unprotect_KeyRevoked_RevocationDisallowed_ThrowsKeyRevoked()
{
// Arrange
Guid keyId = new Guid("654057ab-2491-4471-a72a-b3b114afda38");
byte[] protectedData = BuildProtectedDataFromCiphertext(
keyId: keyId,
ciphertext: new byte[0]);
var mockDescriptor = new Mock <IAuthenticatedEncryptorDescriptor>();
mockDescriptor.Setup(o => o.CreateEncryptorInstance()).Returns(new Mock <IAuthenticatedEncryptor>().Object);
// the keyring has only one key
Key key = new Key(keyId, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object);
key.SetRevoked();
var keyRing = new KeyRing(key, new[] { key });
var mockKeyRingProvider = new Mock <IKeyRingProvider>();
mockKeyRingProvider.Setup(o => o.GetCurrentKeyRing()).Returns(keyRing);
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: mockKeyRingProvider.Object,
logger: null,
originalPurposes: null,
newPurpose: "purpose");
// Act & assert
var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(protectedData));
Assert.Equal(Error.Common_KeyRevoked(keyId).Message, ex.Message);
}
public void Ctor_Pointer_WithNullPointer_ThrowsArgumentNull()
{
// Act & assert
ExceptionAssert2.ThrowsArgumentNull(
testCode: () => new Secret(null, 0),
paramName: "secret");
}
public void Unprotect_KeyNotFound_RefreshOnce_ThrowsKeyNotFound()
{
// Arrange
Guid notFoundKeyId = new Guid("654057ab-2491-4471-a72a-b3b114afda38");
byte[] protectedData = BuildProtectedDataFromCiphertext(
keyId: notFoundKeyId,
ciphertext: new byte[0]);
var mockDescriptor = new Mock <IAuthenticatedEncryptorDescriptor>();
var mockEncryptorFactory = new Mock <IAuthenticatedEncryptorFactory>();
mockEncryptorFactory.Setup(o => o.CreateEncryptorInstance(It.IsAny <IKey>())).Returns(new Mock <IAuthenticatedEncryptor>().Object);
var encryptorFactory = new AuthenticatedEncryptorFactory(NullLoggerFactory.Instance);
// the keyring has only one key
Key key = new Key(Guid.Empty, DateTimeOffset.Now, DateTimeOffset.Now, DateTimeOffset.Now, mockDescriptor.Object, new[] { mockEncryptorFactory.Object });
var keyRing = new CacheableKeyRing(CancellationToken.None, DateTimeOffset.MaxValue, key, new[] { key });
var keyRingProvider = CreateKeyRingProvider(new TestKeyRingProvider(keyRing));
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: keyRingProvider,
logger: GetLogger(),
originalPurposes: null,
newPurpose: "purpose");
// Act & assert
var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(protectedData));
Assert.Equal(Error.Common_KeyNotFound(notFoundKeyId).Message, ex.Message);
}
public void WriteSecretIntoBuffer_Pointer_NullBuffer_Throws()
{
// Arrange
var secret = Secret.Random(16);
// Act & assert
ExceptionAssert2.ThrowsArgumentNull(
testCode: () => secret.WriteSecretIntoBuffer(null, 100),
paramName: "buffer");
}
public void Protect_NullPlaintext_Throws()
{
// Arrange
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: new Mock <IKeyRingProvider>().Object,
logger: null,
originalPurposes: null,
newPurpose: "purpose");
// Act & assert
ExceptionAssert2.ThrowsArgumentNull(() => protector.Protect(plaintext: null), "plaintext");
}
public void Protect_HomogenizesExceptionsToCryptographicException()
{
// Arrange
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: new Mock <IKeyRingProvider>(MockBehavior.Strict).Object,
logger: null,
originalPurposes: null,
newPurpose: "purpose");
// Act & assert
var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Protect(new byte[0]));
Assert.IsAssignableFrom(typeof(MockException), ex.InnerException);
}
public void Unprotect_PayloadHasIncorrectVersionMarker_ThrowsNewerVersion()
{
// Arrange
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: new Mock <IKeyRingProvider>().Object,
logger: null,
originalPurposes: null,
newPurpose: "purpose");
byte[] badProtectedPayload = BuildProtectedDataFromCiphertext(Guid.NewGuid(), new byte[0]);
badProtectedPayload[3]++; // bump the version payload
// Act & assert
var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(badProtectedPayload));
Assert.Equal(Resources.ProtectionProvider_BadVersion, ex.Message);
}
public void Unprotect_PayloadHasBadMagicHeader_ThrowsBadMagicHeader()
{
// Arrange
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: new Mock <IKeyRingProvider>().Object,
logger: null,
originalPurposes: null,
newPurpose: "purpose");
byte[] badProtectedPayload = BuildProtectedDataFromCiphertext(Guid.NewGuid(), new byte[0]);
badProtectedPayload[0]++; // corrupt the magic header
// Act & assert
var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(badProtectedPayload));
Assert.Equal(Resources.ProtectionProvider_BadMagicHeader, ex.Message);
}
public void Unprotect_PayloadTooShort_ThrowsBadMagicHeader()
{
// Arrange
IDataProtector protector = new KeyRingBasedDataProtector(
keyRingProvider: new Mock <IKeyRingProvider>().Object,
logger: null,
originalPurposes: null,
newPurpose: "purpose");
byte[] badProtectedPayload = BuildProtectedDataFromCiphertext(Guid.NewGuid(), new byte[0]);
badProtectedPayload = badProtectedPayload.Take(badProtectedPayload.Length - 1).ToArray(); // chop off the last byte
// Act & assert
var ex = ExceptionAssert2.ThrowsCryptographicException(() => protector.Unprotect(badProtectedPayload));
Assert.Equal(Resources.ProtectionProvider_BadMagicHeader, ex.Message);
}
public void Encrypt_CurrentUser_Decrypt_ImpersonatedAsAnonymous_Fails()
{
// Arrange
var originalXml = XElement.Parse(@"<mySecret value='265ee4ea-ade2-43b1-b706-09b259e58b6b' />");
var encryptor = new DpapiXmlEncryptor(protectToLocalMachine: false, loggerFactory: NullLoggerFactory.Instance);
var decryptor = new DpapiXmlDecryptor();
// Act & assert - run through encryptor and make sure we get back an obfuscated element
var encryptedXmlInfo = encryptor.Encrypt(originalXml);
Assert.Equal(typeof(DpapiXmlDecryptor), encryptedXmlInfo.DecryptorType);
Assert.DoesNotContain("265ee4ea-ade2-43b1-b706-09b259e58b6b", encryptedXmlInfo.EncryptedElement.ToString(), StringComparison.OrdinalIgnoreCase);
// Act & assert - run through decryptor (while impersonated as anonymous) and verify failure
ExceptionAssert2.ThrowsCryptographicException(() =>
AnonymousImpersonation.Run(() => decryptor.Decrypt(encryptedXmlInfo.EncryptedElement)));
}